[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[dm-devel] multipath-tools comments and licensing status?



Hi,

I've been looking at multipath-tools as I was suggested to look at
kpartx to mount partitioned disk images. It doesn't install in my Gentoo
because of two problems: buffer overflows reported by _FORTIFY_SOURCE
and --as-needed failures. Both are trivial to fix but there are other
problems.

a) buildsystem

While it's trivial to fix the build, I wonder if it wouldn't make more
sense to simply rewrite it with classical autotools, I can do that quite
easily, and it would have better results on the long run most likely,
especially for distributions.

b) general code string handling

There are two sure buffer overflows in datacore.c and hds.c when setting
vendor, as it'll be trying to write the null termination outside of te
buffer; it's trivial to fix, but actually the vendor array is only
filled in for hds.c to log it out (why not printing the expression
directly?) and not used at all in datacore.c; the same is true of the
other buffers.

In configure.c (and other files) WWID_LEN is improperly handled because
the various arrays don't consider NULL-termination, and in particular at
configure.c:173 the strncat() is using the totally wrong size and will
almost certainly always overflow if hit.

c) licensing.

This seems to be the most serious problem here: it doesn't seem like
there is a clear license on the software! There is a COPYING file with
LGPL 2 (not 2.1, but the Library version itself), most of the files
don't seem to declare a license at all, hbs.c declares itself to be GPL
(but not v2), while datacore.c declares itself as GPLv2. In Gentoo, the
package is listed as having GPL-2 license.

I'll be honest, I don't have any particular interest in fixing all of
this myself; I can send you the two patches for the issue above, not
particularly caring for the licensing situation. If you sort out the
licensing situation I can take care of rebuilding the build system
during free time. But if this is intended for production use somebody
should really review the code, professionally.

Sorry if it sounds harsh, I'm just not one for sugar-coating quick code
reviews.

-- 
Diego Elio Pettenò — “Flameeyes”
http://blog.flameeyes.eu/

If you found a .asc file in this mail and know not what it is,
it's a GnuPG digital signature: http://www.gnupg.org/

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]